Congress seemed ready to move quickly on legislation that wouldrequire companies to notify customers when their personalinformation had been compromised.
Now, more than a year after data breaches at ChoicePoint Inc. andLexisNexis set off a national debate about identification theft anddata security, time is running out for Congress to pass a lawbefore it finishes business this year. Some proponents of anational breach notification law say it’s unlikely that Congresswill be able to pass a law by then.
Lawmakers have introduced more than 10 bills dealing with databreach notification since early 2005. The bills differ in severalways, including varying requirements about when a breached companyshould notify customers and whether consumers should be able tofreeze their credit reports following a breach.
Beyond the confusion about the differences in the bills, fivecongressional committees have claimed jurisdiction over some of thedata breach bills. “It’s certainly a popular and pro-consumer issueto tackle,” said David Sohn, a staff counsel at the Center forDemocracy and Technology, a privacy and civil rights advocacygroup. “It’s difficult to see how Congress will reconcile all thebills.”
In late 2005, a data breach notification law seemed virtuallyassured; even data brokers such as ChoicePoint advocated a federallaw that would preempt state notification laws that were popping upacross the U.S. About 23 states have passed their own notificationlaws, and backers of a federal law say interstate businesses willhave difficulty complying with dozens of state laws.
Two data breach notification bills have passed through Senatecommittees and are awaiting action on the Senate floor, and twoother bills are awaiting action on the House floor. A spokesman forSenator Dianne Feinstein, a California Democrat and early advocatefor a national data breach notification law, said he’s stillhopeful a law will get through Congress this year, but others areless optimistic.
Both the House and the Senate have targeted Oct. 6 to adjourn forthe year, giving lawmakers about a month to campaign for theNovember general elections. Both legislative chambers will be outof session for most of August, and national issues such asimmigration reform and gas prices are likely to dominate lawmakers’attention. When the new Congress takes office in January, all billsthat didn’t pass before the election will have to bereintroduced.
Asked Wednesday if a data breach bill would pass this year, JamesAssey Jr. , a senior Democratic counsel in the Senate Commerce,Science and Transportation Committee, said he’s unsure, even thoughdata breach notification bills have enjoyed bipartisan support.
“It’s unclear what Congress will do,” he said during an Associationfor Computing Machinery (ACM) conference. “Going into the nextCongress, I feel certain these issues will return.”
Last month, a group of executives from IT security vendors came toWashington, D.C., to push for a data breach bill, with some worriedthat Congress was letting the issue die. Organized by the CyberSecurity Industry Alliance, the trip left some participants withcontinuing concerns that Congress has put the issue on the backburner.
Participants told lawmakers and staff, “You might want to poll yourconstituents and see if this is important,” said PhilipDunkelberger, president and chief executive officer of PGP Corp.”We’re saying, ‘You need to get the legislation out there wherepeople can have an open, public debate’.”
One of the big debates about the legislation is what should triggercustomer notification. Some of the bills allow data-holdingcompanies to decide when to report by requiring notification onlywhen there’s a “significant” risk of ID theft. Other bills requirereporting for virtually all data breaches, but critics sayconsumers could get “notification fatigue.”
But if companies are allowed to determine when there’s asignificant risk, there’s likely to be little notification, saidDaniel Solove, a privacy advocate and law professor at GeorgeWashington University in Washington, D.C. “Every company has anincentive not to say, ‘You really are at a big risk’,” Solove saidat the ACM conference.
Many of the notification bills in Congress would be weaker thansome of the state laws already passed, Solove added. State laws inCalifornia and New York, for example, require notification any timethere’s been a breach of unencrypted data and don’t allow companiesto decide whether there’s a significant risk.
Solove would rather see those state laws stand than see a nationalbreach notification bill pass, he said. Most of the congressionalbills are “not very stringent,” he said. “The state innovationshere are really good.”